include?

A

Anonymous

Guest
Hello everyone...

I've been developing a simple SQL database accessed using PHP. My problem is that I need to prevent users accessing particular files (.htm and .swf) directly using a browser. To this end, I have used an INCLUDE command to call the relevant file(s) from inside the PHP. However, no matter what way I try to set-up the access permissions on the directories involved, I am left with either a totally non-secure directory, or one that I can neither view by browser or via PHP. Can anyone offer any help on this subject? I'm tearing my hair out!
Thanks all,
Sleeping_Sloth
 
You could move all your private files outside your public http directory and make a standalone script that you can use to access them via header() and readfile() but also have an if statement in it like
if ($access_allowed){ /* headers and readfile goes here */ }
and define $access_allowed as true in the script your calling from that way people can't access it alone, but your script can.
 
could you be a bit more specific about what the standalone would need to include please? I'm a bit new to unix scripting...
Thanks
Sleeping_sloth
 
OK, here goes :), first thing you do is move those files to a new directory outside the public directory of your server so that nobody can access them. Next you make a php script that is done like this...
Code: 
<?php
if (@$fileaccess){
	$secure_dir = '/path/to/new/directory/';
	header("Content-type: application/octet-stream");
	header("Content-length: ".filesize(stripslashes($secure_dir.$_GET['filename'])));
	readfile(stripslashes($secure_dir.$_GET['filename']));
} else echo('Access Denied');
?>
Now anytime you want your content, define $fileaccess = true; in your other scripts and make sure you fix $secure_dir to where your putting all the files. If you wanted intro.swf, you would put " file.php?filename=intro.swf " (without the quotes :p) as the url to the file. (This example only works if the above code is in a file named 'file.php').
 
Thanks very much....

I've set that up now, but because the .swf is embedded in html, the .swf won't load.

Do you have any suggestions about getting the embedded .swf working?

Thanks again,
Sleeping_Sloth
 
I don't know much at all about flash so I don't even know what you mean about it being embedded... :oops:
 
Thanks for your continued support Xerpher... :D

The embedded .swf file needs to be called as a .html object, and can't be opened as it is - a fileopen on a .swf without the relevant object bits just gives a big mess of hext or something.

I had already considered putting the .swfs in the database, but this can't be done because the .swf is referenced twice in the html object tag- once to identify the file, and a second time to insert the contents.

I'm just about at my wits end about this! - there must be some way of doing what I want, but I don't know what it is!

Any suggestion will be much appreciated!

Thanks,
Sloth out
 
If I understand you correctly, you just put "file.php?filename=intro.swf" where you would put the link to the swf file in the html code... this php script does NOT force a download.
 
Okay, I just have one question then...

how do I set $file_access so that the file.php script will accept it- wouldn't that value have to be passed to file.php?

Thanks again,
Sloth out
 
Oh yea, forgot about the security statement... best way to do that is to set a session variable in your site or.... hm, in this case you would have to make an elaborate session & $_SERVER vars authetication system, or something along those lines, which is more work then I have time for right now, so basically, I can only suggest this which is basically a forced security hole for swf files:

Code: 
<?php 

if (@$fileaccess || substr($_GET['filename'], -3) == 'swf'){ 
   $secure_dir = '/path/to/new/directory/'; 
   header("Content-type: application/octet-stream"); 
   header("Content-length: ".filesize(stripslashes($secure_dir.$_GET['filename']))); 
   readfile(stripslashes($secure_dir.$_GET['filename'])); 
} else echo('Access Denied'); 
?>
 
You must log in or register to reply here.
Back
Top